CN116368833A

CN116368833A - Method and system for establishing and authenticating secure connection for edge computing service

Info

Publication number: CN116368833A
Application number: CN202180069021.7A
Authority: CN
Inventors: 拉加维瑟曼·拉加杜莱; 尼桑特·古普塔; 罗西尼·拉金德兰; 尼维迪亚·帕拉巴斯·萨西
Original assignee: Samsung Electronics Co Ltd
Current assignee: Samsung Electronics Co Ltd
Priority date: 2020-10-08
Filing date: 2021-10-08
Publication date: 2023-06-30
Also published as: EP4209027A4; US20220116774A1; WO2022075815A1; EP4209027A1

Abstract

Methods and systems for authentication for accessing edge computing services and establishment of secure connections are provided. The method includes dynamically deriving a pre-shared key (PSK) and authenticating using the dynamically derived PSK at or before performing secure connection establishment or at or before establishing a secure interface between a User Equipment (UE) and a server, wherein the UE includes an Edge Enabled Client (EEC) and the server is an Edge Configuration Server (ECS). The method also includes deriving PSK based on an application Authentication and Key Management (AKMA) application key.

Description

Method and system for establishing and authenticating secure connection for edge computing service

Technical Field

The present disclosure relates to the field of edge computing systems. More particularly, the present disclosure relates to the establishment and authentication of secure connections for edge computing services.

Background

In order to meet the increasing demand for wireless data services since the deployment of 4G communication systems, efforts have been made to develop an improved 5G or quasi 5G communication system. Therefore, a 5G or quasi 5G communication system is also referred to as a "super 4G network" or a "LTE-after-system". A 5G communication system is considered to be implemented at a higher frequency (millimeter wave) band (e.g., 60GHz band) in order to achieve a higher data rate. In order to reduce propagation loss of radio waves and increase transmission distance, beamforming, massive Multiple Input Multiple Output (MIMO), full-dimensional MIMO (FD-MIMO), array antennas, analog beamforming, massive antenna techniques are discussed in 5G communication systems. In addition, in the 5G communication system, development of system network improvement is being conducted based on advanced small cells, cloud Radio Access Networks (RANs), ultra dense networks, device-to-device (D2D) communication, wireless backhaul, mobile networks, cooperative communication, coordinated multipoint (CoMP), reception-side interference cancellation, and the like. In 5G systems, hybrid FSK and QAM modulation (FQAM) as Advanced Code Modulation (ACM) and Sliding Window Superposition Coding (SWSC) have been developed, as well as Filter Bank Multicarrier (FBMC), non-orthogonal multiple access (NOMA) and Sparse Code Multiple Access (SCMA) as advanced access techniques.

The internet, which is a human-centric connectivity network in which humans generate and consume information, now evolves into the internet of things (IoT) in which distributed entities such as things exchange and process information without human intervention. Internet of everything (IoE), which is a combination of IoT technology and big data processing technology through connection with cloud servers, has emerged. As IoT implementations require technical elements such as "sensing technology," "wired/wireless communication and network infrastructure," "service interface technology," and "security technology," sensor networks, machine-to-machine (M2M) communications, machine Type Communications (MTC), etc. have recently been investigated. Such IoT environments may provide intelligent internet technology services that create new value for human life by collecting and analyzing data generated between connections. IoT may be applied in a variety of fields including smart homes, smart buildings, smart cities, smart cars or networked cars, smart grids, healthcare, smart appliances, and advanced medical services through fusion and combination between existing Information Technology (IT) and various industrial applications.

Accordingly, various efforts have been made to apply 5G communication systems to IoT networks. For example, techniques such as sensor networks, machine Type Communications (MTC), and machine-to-machine (M2M) communications may be implemented by beamforming, MIMO, and array antennas. An application of a cloud Radio Access Network (RAN) as a big data processing technology as described above may also be regarded as an example of a fusion between 5G technology and IoT technology.

The edge computing system enables deployment of cloud computing and service environments in proximity to User Equipment (UE)/user devices to provide edge computing services. Edge computing services provide several benefits compared to cloud environments, such as, but not limited to, lower latency, higher bandwidth, reduced backhaul traffic, new service prospects, and the like.

In addition, with the advent of edge computing systems, applications can respond faster and provide features that are not possible without the low latency and fast processing capabilities provided by edge computing systems. In applications such as Virtual Reality (VR), network-assisted processing is highly dependent on edge computing systems. Certain features of the application may still be provided without using the edge computing system, however, certain features may not be provided/serviced without the edge computing system.

Edge computing systems may be provided by service providers such as Mobile Network Operators (MNOs), which may not be ubiquitous in the near future due to operational and financial constraints. In order to take advantage of the capabilities and features provided by an edge computing system, an application must be aware of any edge computing system/feature it uses, such as to enable or disable features that depend on the use of the edge computing system. In addition, the availability of such edge computing systems may change dynamically for a variety of reasons. The application must be notified of such changes to fine tune the provided services accordingly. For example, the availability of applications that rely on an edge computing system may depend on the location of the user, content available at the edge server, and so on.

Fig. 1 depicts an application architecture for implementing an application supporting an edge computing system, as defined in TR 23.758 and TS 23.558, according to the related art.

Referring to fig. 1, edge-4 reference points enable interactions between edge-enabled clients (EECs) and Edge Configuration Servers (ECSs) of UEs. The EDGE-4 interface is the Ua-x interface defined in AKMA specification TS 33.535. The ECS provides the support functions required for EEC to Edge Enabled Server (EES) connections. EDGE-4 reference point support provides EDGE configuration information (e.g., uniform Resource Identifier (URI) or Local Area Data Network (LADN) service information) to EECs. The EEC performs functions such as configuration information retrieval from the ECS via the EDGE-4 interface.

According to TS 23.558, the ECS may be deployed in an MNO domain, or may be deployed in a 3 rd party of a service provider, where the EECs may communicate simultaneously with one or more ECSs. If an ECS deployed by an MNO has a contract with one or more edge computing service providers ECSPs, the ECS provides via the MNO ECS, the MNO-owned and ECSP-owned EES' EES configuration information, as described in clause 8.3.3.2. If the ECS is deployed by a non-MNO ECSP, the EEC may be configured with an ECS endpoint address. An EEC that knows the ECS endpoint addresses of multiple ECSPs may perform the service provisioning process multiple times per ECS of each ECSP.

In an edge computing system, the UE/EEC may communicate with the ECS for accessing the edge computing system. EEC and ECS use Transport Layer Security (TLS) protocol or internet key exchange version 2 (IKEv 2) or Extensible Authentication Protocol (EAP) procedures when first communicating with each other.

The TLS protocol provides TLS handshake features that allow the peer/UE to negotiate a TLS protocol version, select a cryptographic algorithm, optionally authenticate each other, and establish a shared key keying material. Once the handshake is completed, the peers use the established keys to protect the application layer traffic. Similarly, IKEv2 is a component of the internet protocol security (IPsec) protocol for performing mutual authentication and establishing and maintaining Security Associations (SAs). IKEv2 performs mutual authentication between the UE and ECS and establishes an IKE SA including shared key information, which can be used to efficiently establish the SA. The EAP procedure/framework specified in RFC 3748 is used for authentication between a UE and an ECS in an external data network. The fifth generation (5G) core network initiates authentication and establishes a Protocol Data Unit (PDU) session, as detailed in TS 33.501.

In order to implement an edge computation service between EEC and ECS (using TLS protocol or IKEv2 or EAP procedure), the authenticity of EEC and ECS (i.e., mutual authentication between entities) needs to be verified before actual communication. To perform mutual authentication between the EEC and the ECS, a security credential needs to be established. However, the conventional method does not disclose how to establish a secure connection for using an edge computing service by providing security credentials required for the EEC and ECS and implementing mutual authentication based on successful authentication and authorization of the EEC and ECS.

Furthermore, for secure connection establishment between EEC and ECS using TLS protocol, it is sufficient to verify the authenticity of ECS only and optional for EEC according to RFC. In a conventional approach, the ECS server side certificate may be used to establish a secure TLS connection between the EEC and the ECS, and the EEC is authenticated using a message authentication code (MAC-1). However, such authentication and such establishment of a secure TLS connection between the EEC and ECS may not be efficient.

In addition, the secure connection establishment procedure may destroy the session due to the unavailability of the security credentials. Furthermore, if the security credentials are established during the secure connection establishment procedure, the time taken to establish the security credentials may not be within acceptable thresholds. Thus, there is a need to address the provision of security credentials in an entity (e.g., EEC, ECS, etc.) at or before performing secure connection establishment.

The above information is presented merely as background information to aid in the understanding of the present disclosure. No determination has been made, nor has an assertion made, as to whether any of the above can be applied as prior art to the present disclosure.

Disclosure of Invention

Technical problem

Aspects of the present disclosure are directed to solving at least the problems and/or disadvantages described above and to providing at least the advantages described below. Accordingly, it is an aspect of the present disclosure to provide methods and systems for the establishment and authentication of secure connections for accessing edge computing services.

Another aspect of the present disclosure is to provide methods and systems for dynamically deriving a pre-shared key (PSK) and using the dynamically derived PSK for establishment and authentication of a secure connection between a User Equipment (UE) and a server for accessing an edge computing service, wherein the UE includes an Edge Enabled Client (EEC) and the server includes an Edge Configuration Server (ECS).

Another aspect of the present disclosure is to provide a method and system for transmitting an application key Identifier (ID) to a server or an Edge Enabled Server (EES) by a UE in a first message or a second message and initiating a secure connection establishment procedure with the server by the UE based on the first message or the second message for transmitting the application key ID to the server to establish a secure connection, wherein the first message is a TLS protocol message carrying the key ID and the second message is a service providing message.

Solution to the problem

According to one aspect of the present disclosure, a method for establishing and authenticating a secure connection for accessing an edge computing service is provided. The method includes performing, by a User Equipment (UE), authentication with a Core Network (CN) using subscription credentials. The method includes being performed and performed by a UE After authentication of the CN, deriving an edge configuration server specific key (K) for at least one edge computing service _ECS ). The method includes configuring, by the UE, a server-specific key (K) by based on the derived edge _ECS ) A pre-shared key (PSK) is established to initiate a secure connection establishment procedure with the server to establish a secure connection for accessing the at least one edge computing service.

According to another aspect of the present disclosure, an edge computing system is provided. The edge computing system includes a server and a User Equipment (UE) coupled to the server. The server is configured to perform authentication with a Core Network (CN) using the subscription credentials. The server is configured to derive an edge configuration server specific key (K) for at least one edge computing service after performing authentication with the CN _ECS ). The server is configured to determine the server-specific key (K by configuring the server-specific key based on the derived edge _ECS ) A pre-shared key (PSK) is established to initiate a secure connection establishment procedure with the server to establish a secure connection for accessing the at least one edge computing service.

According to another aspect of the present disclosure, a User Equipment (UE) in an edge computing system is provided. The UE includes an application client and an Edge Enabled Client (EEC) coupled to the application client. The EEC is configured to perform authentication with a Core Network (CN) using subscription credentials. The EEC is configured to derive an edge configuration server specific key (K) for at least one edge computing service after performing authentication with the CN _ECS ). The EEC is configured to send an application key Identifier (ID) to the server in the first message or in the second message. The EEC is configured to initiate a secure connection establishment procedure with the server based on the first message or the second message for sending the application key ID and to calculate the service for at least one edge using the edge configuration server specific key (K _ECS ) Deriving a pre-shared key (PSK) or configuring a server-specific key (K) using edges _ECS ) As the PSK. The EEC is configured to enable mutual authentication between the UE and the server using PSK to establish a secure connection for the at least one edge computing service.

According to another aspect of the present disclosure, a server in an edge computing system is provided. The server includes a memory and a controller coupled to the memory. The controller is configured to receive an application key identifier (key ID) from a User Equipment (UE) for at least one edge computing service. The controller is configured to obtain an edge configuration server specific key (K) from the application anchor function for the received application key ID _ECS ). The controller is configured to configure a server specific key (K based on the acquired edge _ECS ) To derive pre-shared key (PSK) or to configure server-specific key (K) using edges _ECS ) As PSK. The controller is configured to enable mutual authentication between the UE and the server using PSK to establish a secure connection for the at least one edge computing service.

Other aspects, advantages, and salient features of the disclosure will become apparent to those skilled in the art from the following detailed description, which, taken in conjunction with the annexed drawings, discloses various embodiments of the disclosure.

Advantageous effects of the invention

The present disclosure relates to a quasi-5 th generation (5G) or 5G communication system to be provided for supporting a higher data rate than a 4 th generation (4G) communication system such as Long Term Evolution (LTE). Embodiments of the present disclosure provide methods and systems for the establishment and authentication of secure connections for accessing edge computing services.

Drawings

The foregoing and other aspects, features, and advantages of certain embodiments of the disclosure will become more apparent from the following description, taken in conjunction with the accompanying drawings, in which:

FIG. 1 depicts an application architecture for implementing an application supporting an edge computing system without defining the establishment and authentication to implement a secure connection for an access edge computing device, in accordance with the related art;

FIG. 2 depicts an edge computing system according to an embodiment of the present disclosure;

fig. 3 is a block diagram depicting components of a User Equipment (UE) for accessing an edge computing service in accordance with an embodiment of the disclosure;

fig. 4 is an example block diagram depicting components of a Core Network (CN) according to an embodiment of the present disclosure;

fig. 5 is an example block diagram depicting components of an Edge Configuration Server (ECS) in accordance with an embodiment of the disclosure;

fig. 6 depicts an example sequence diagram in which a UE and a server/ECS are to use Transport Layer Security (TLS) with pre-shared key (PSK) based authentication for securing a connection for accessing an edge computing service, where details of an application key identifier are carried by TLS protocol messages to establish PSK during a TLS establishment procedure, in accordance with an embodiment of the present disclosure;

fig. 7 depicts an example sequence diagram in which a UE and ECS will use TLS with PSK-based authentication for securing a connection for accessing an edge computing service, where details of an application key identifier are carried by a service provisioning request to establish PSK prior to a TLS establishment procedure, in accordance with an embodiment of the present disclosure;

fig. 8A depicts a service provision request and a service provision response, respectively, in accordance with various embodiments of the present disclosure;

Fig. 8B depicts a service provision request and a service provision response, respectively, in accordance with various embodiments of the present disclosure;

fig. 9 is an example diagram depicting derivation of PSK in accordance with an embodiment of the present disclosure; and

fig. 10 is an example diagram depicting a symmetric encryption or encryption and decryption mechanism for protecting access tokens according to an embodiment of the present disclosure.

Throughout the drawings, it should be noted that the same reference numerals are used to describe the same or similar elements, features and structures.

Detailed Description

The following description is provided with reference to the accompanying drawings to assist in a comprehensive understanding of the various embodiments of the disclosure defined by the claims and their equivalents. The following description includes various specific details that facilitate understanding, but are to be considered exemplary only. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the various embodiments described herein can be made without departing from the scope and spirit of the present disclosure. In addition, descriptions of well-known functions and constructions may be omitted for clarity and conciseness.

The terms and words used in the following description and claims are not limited to written meanings, but are used only by the inventors to enable a clear and consistent understanding of the disclosure. Accordingly, it should be apparent to those skilled in the art that the following descriptions of the various embodiments of the present disclosure are provided for illustration only and not for the purpose of limiting the disclosure as defined by the appended claims and their equivalents.

It should be understood that the singular forms "a", "an" and "the" include plural referents unless the context clearly dictates otherwise. Thus, for example, reference to "a component surface" includes reference to one or more such surfaces.

Embodiments herein disclose how to achieve authentication by providing required credentials before the actual communication between the UE/client and server and establish a secure session/connection between the UE and server for accessing edge computing services based on successful authentication and authorization of the UE and server. The UE includes an Edge Enabled Client (EEC), and the server includes an Edge Configuration Server (ECS).

Embodiments herein use application Authentication and Key Management (AKMA) network services to authenticate and authorize UEs and servers for edge computing services. The AKMA network service establishes the required credentials between the UE and the server to perform authentication and establish a secure connection for the edge computing service. The UE derives a pre-shared (PSK) key based on the AKMA application key and indicates a PSK key Identifier (ID) to the server to establish a secure Transport Layer Security (TLS) connection/session with the server for the edge computing service. In an example, the UE indicates the AKMA key ID to the server in a transport layer security message. In another example, the UE indicates the AKMA key ID to the server in the service provision request. Based on the indicated AKMA key ID, the server obtains PSK by contacting an AKMA anchor function (AAnF) using information in the AKMA key ID. Once the server has obtained PSK, mutual authentication is performed between the UE and the server using PSK, and a secure TLS connection/session is established between the UE and the server based on successful authentication and authorization of the UE and the server.

Embodiments herein use network access credentials (subscription credentials/Universal Subscriber Identity Module (USIM) credentials) for edge computing user authentication and authorization. After a successful authentication process, embodiments herein issue/derive a temporary key (e.g., an access token or security key) for authorizing access to an Edge Enabled Server (EES). With the temporary key, the Mobile Network Operator (MNO) has the ability to control whether the UE accesses the edge computing service and can access each EES. In embodiments herein, an edge computing system may have multiple EES; and each EES is owned by an edge computing service provider, respectively. In an embodiment, there may be multiple edge computing service providers.

Referring now to the drawings, and more particularly to fig. 2-7, 8A, 8B, 9 and 10, wherein like reference numerals designate corresponding features consistently throughout the figures, example embodiments are shown.

When the referenced file is updated, the clause number references mentioned throughout the file change, but the file number (such as TS 23.558, etc.) is determined.

Fig. 2 depicts an edge computing system 200 according to an embodiment of the present disclosure.

Referring to fig. 2, the edge computing system 200 referred to herein may be configured to provide edge computing services by deploying an edge server in proximity to user devices. Examples of edge computing services may be, but are not limited to, voice service sessions, real-time streaming media service sessions, real-time gaming service sessions, buffered streaming media service sessions, transmission Control Protocol (TCP) based sessions (e.g., email, messaging services, file transfer services, etc.), internet Protocol (IP) multimedia subsystem (IMS) services, and the like. The edge computing system 200 provides advantages such as, but not limited to, efficient service delivery with significantly reduced end-to-end delay, reduced load on the transport network, and the like. Because of such advantages, the edge computing system 200 may be used in applications such as, but not limited to, virtual and augmented reality (VR/AR) related applications, internet of things (IoT) applications, industrial applications, autonomous driving applications, real-time multiplayer gaming applications, and the like.

The edge computing system 200 includes one or more User Equipment (UE)/user devices 202, one or more Core Networks (CNs) 204, an application anchor function 206, and an edge data network 208.

The UE 202 may be a user device capable of accessing an edge computing service. Examples of UE 202 may be, but are not limited to, a mobile phone, a smart phone, a tablet computer, a tablet, a Personal Digital Assistant (PDA), a laptop computer, a wearable computing device, an in-vehicle infotainment device, an IoT device, a wireless fidelity (Wi-Fi) router, a USB dongle, or any other device that supports access to edge computing services. The UE 202 may be connected to the CN 204 through one or more Base Stations (BSs) associated with the CN 204. The UE 202 may also connect to the edge data network 208 according to the 3 rd generation partnership project (3 GPP) TS 23.558. Embodiments herein use terms such as "UE," "client," "user device," "edge-enabled client (EEC)" interchangeably to refer to a device capable of accessing an edge computing service.

The CN/3GPP core network 204 may support one or more different Radio Access Technologies (RATs). Examples of RATs may be, but are not limited to, 3 rd generation partnership project (3 GPP), long term evolution (LTE/4G), LTE-advanced (LTE-a), fifth generation (5G) New Radio (NR), wireless Local Area Network (WLAN), code Division Multiple Access (CDMA), frequency Division Multiple Access (FDMA), time Division Multiple Access (TDMA), orthogonal Frequency Division Multiple Access (OFDMA), general Packet Radio Service (GPRS), enhanced data rates for GSM evolution (EDGE), universal Mobile Telecommunications System (UMTS), enhanced Voice Data Optimized (EVDO), high Speed Packet Access (HSPA), enhanced HSPA (hspa+), wireless Local Area Network (WLAN), worldwide interoperability for microwave access (WiMAX/IEEE 802.16), wi-Fi (IEEE 802.11), UTRA for evolution (E-UTRA), wi-Fi direct or any other next generation network. In an example, the CN 204 may be an Evolved Packet Core (EPC) supporting an LTE network. In another example, the CN 204 may be a fifth generation (5G) core network (5 GC). The CN 204 may be connected to the UE 202 via an associated Base Station (BS)/Radio Access Network (RAN) (not shown). The CN 204 may be configured to provide authentication services and other security related services to the UE 202 when the UE 202 initiates a procedure for accessing edge computing services.

The application anchor function 206 may be an application Authentication and Key Management (AKMA) anchor function (AAnF) in a national public land mobile network (HPLMN). In an example, the application anchor function 206 may be deployed as a stand-alone function. In another example, the application anchor function 206 may be deployed by being collocated with the functionality of the CN 204 or with a Network Exposure Function (NEF) according to the deployment scenario of the operator. The application anchor function 206 may be configured to generate keying material that may be used during the establishment of an authenticated and secure connection between the UE 202 and the edge data network 208 for the edge computing service. Embodiments herein use terms such as "application anchor function", "AAnF", etc., interchangeably throughout the document.

The edge data network 208 includes an Edge Configuration Server (ECS) 208a, one or more Edge Enabling Servers (EES) 208b, and one or more Edge Application Servers (EAS) 208c. The ECS 208a may be coupled to the EEE 208b, the CN 204 and the UE 202 via an EDGE-6 interface, an EDGE-8 interface and an EDGE-4 interface, respectively. EES 208b can be connected to each other using an EDGE-9 interface. EES 208b may be connected to EAS 208c, CN 204, and UE 202 via an EDGE-3 interface, an EDGE-2 interface, and an EDGE-1 interface, respectively. EAS 208c may be connected to UE 202 using an EDGE-7 interface. For edge computing services, application data traffic may be exchanged between the UE 202 and the EAS 208c.

ECS 208a may be an Application Function (AF) for AAnF 206 (as specified in 3gpp TS 33.535). The ECS 208a may be configured to provide configuration to the UE 202 to connect with the EAS 208c to access edge computing services. Embodiments herein use terms such as "ECS," "server," "AF," "OAuth server," and the like interchangeably throughout the document. EES 208b may be configured to enable discovery of EAS for the UE 202 to access edge computing services. EAS 208c may be configured to provide edge computing services to UE 202.

The architecture of the edge computing system 200, the functionality of the components of the edge computing system 200, etc. may be intuitively inferred by one of ordinary skill in the art by reference to 3gpp TS 23.558, and thus, a detailed description of the components corresponding to the edge computing system 200 is omitted.

Embodiments herein enable authentication and establishment of secure connections between the UE 202 and the ECS 208a for accessing edge computing services.

When the UE 202 wants to access an edge computing service, the UE 202 performs authentication with the CN 204 using the subscription credentials. In an example, the subscription credentials may include security credentials/Universal Subscriber Identity Module (USIM) credentials provided by a Mobile Network Operator (MNO) for accessing the CN 204/RATs supported by the CN 204. In an example, the authentication performed with the CN 204 may be a primary network access authentication procedure, as specified in 3gpp TS 33.501 clause 6.1. After performing authentication with the CN 204, the UE 202 and the CN 204 generate an authentication server function key. In an example, if the CN 204 is 5GC, the authentication server function key may be key K _AUSF 。

After generating the authentication server function key, the CN 204 derives authentication and authorization keys. In an example, the authentication and authorization key may be an AKMA key (K _AKMA ). The CN 204 may derive authentication and authorization keys/AKMA keys (K) from 3gpp TS 33.535 _AKMA ). The CN 204 will derive the authentication and authorization key/AKMA key (K in the key response _AKMA ) Conveyed to AAnF 206.

After generating the authentication server function key, the UE 202 derives the authentication and authorization key/AKMA key (K) from 3gpp TS 33.535 _AKMA ). UE 202 also derives other keys for one or more edge computing services, such as, but not limited to, an edge configuration server specific key (K _ECS ) Etc. In an embodiment, the edge configures a server-specific key (K _ECS ) May be an AKMA application key (K _AF ). UE 202 is based on authentication and authorization key/AKMA key (K _AKMA ) Deriving edge configuration server specific key (K) _ECS ) (as specified in 3gpp TS 33.535). If the UE 202 has a valid edge configuration server specific key (K _ECS )，The UE does not perform deriving the edge configuration server specific key (K _ECS ) Is carried out by a method comprising the steps of.

Edge configuration server specific key (K) is derived using a Key Derivation Function (KDF) according to 3GPP TS 33.535,UE 202 (which has been specified in 3gpp TS 33.220 _ECS ) AKMA application key (K) _AF ). UE 202 configures the edge with a server-specific key (K _ECS ) AKMA application key (K) _AF ) Calculated (according to clause a.4) as:

K _AF ＝KDF(K _AKMA ，AF_ID)

wherein the af_id may be constructed as:

af_id=fqdn||ua of AF security protocol identifier

Where the Ua security protocol identifier may be specified as the Ua security protocol identifier in annex H in 3gpp TS 33.22. For deriving an AKMA application key (K _AF )/(K _ECS ) The key is an AKMA key (K _AKMA ). The FQDN (fully qualified domain name) of the AF/ECS 208a may be configured in the UE 202 as part of the ECS address information. Alternatively, if an Internet Protocol (IP) address is configured, an UP address may be used to construct an af_id instead of the FQDN. The FQDN or IP address of the AF/ECS 208a may be configured in the UE 202 using a Protocol Configuration Options (PCO) message received from the CN 204.

Embodiments herein use the term "edge configuration server-specific key (K _ECS ) "" AKMA application key (K) _AF ) "etc.

After deriving an edge configuration server specific key (K) for one or more edge computing services _ECS ) Thereafter, the UE 202 configures the server-specific key (K by dynamically establishing a pre-shared key or configuring the edge (K) _ECS ) For authentication and establishment of secure connections to initiate a secure connection establishment procedure to access the edge computing service. The pre-shared key may be based on an edge configuration server specific key (K _ECS ) To be established. Establishing a secure connection involves establishing a secure channel between the UE 202 and the ECS 208a for the edge computing service. In an embodiment, the secure connection establishment procedure includes TLS connection/session establishmentA procedure is established and the secure connection includes a secure TLS connection/session.

The UE 202 initiates the secure connection establishment procedure based on sending an application key Identifier (ID) to the ECS 208 a. In an embodiment, the application key ID may be an AKMA key ID. The application key ID indicates a key (K) for deriving an edge configuration server specific key _ECS ) Authentication and authorization key/AKMA key (K) _AKMA ). The embodiments herein use terms such as "application key ID", "AKMA key ID", "A-KID", "AKMA-ID", etc., interchangeably throughout the document.

In an embodiment, the UE 202 may send the application key ID to the ECS 208a in a first message/TLS protocol message by initiating a secure connection establishment procedure with the ECS 208a in parallel. Thus, as part of the security setup procedure, the UE 202 may send the application key ID to the ECS 208 a. Sending the application key ID to the ECS 208a in the TLS protocol message includes sending EEC details to the ECS 208a in the TLS protocol message. In an example, the TLS protocol message may include a "client hello message" or the like. EEC details may be carried in a vendor ID payload within the TLS protocol message. EEC details may include EEC ID, UE ID, and application key ID. After receiving the application key ID from the UE 202 in the TLS protocol message, the ECS 208a sends a key request including the received application key ID to the AAnF 206 to identify the application security context in the AAnF 206, thereby acquiring the edge configuration server specific key (K _ECS ). AAnF 206 uses the authentication and authorization key/AKMA key (K) corresponding to the application key ID received from ECS 208a _AKMA ) To derive edge configuration server specific keys (K) _ECS ). AAnF 206 sends the derived edge configuration server specific key (K) to ECS 208a _ECS ). Once the edge configures the server specific key (K _ECS ) Available at the UE 202 and ECS 208a, the UE 202 and ECS 208a derive PSK. In an embodiment, the UE 202 and ECS 208a may configure the server-specific key (K _ECS ) And other possible parameters. Examples of parameters may include, but are not limited to, function Code (FC) values, generic public subscription identifiers(GPSI), EEC ID, ECS ID, text strings such as "PSK", freshness parameters, etc. In an embodiment, the freshness parameter is a counter value maintained by the EEC 310 of the UE 202. In another embodiment, the UE 202 and ECS 208a may use an edge configuration server specific key (K _ECS ) As PSK. After deriving the PSK, the UE 202 and ECS 208a use the PSK to perform mutual authentication to establish a secure connection/secure channel for accessing the edge computing service.

In another embodiment, the UE 202 may send the application key ID to the ECS 208a in a second message/service provisioning request. In an example, the service provisioning request includes an EEC ID, security credentials, an application key ID, an application client profile of the UE 202, a UE ID, connection information, a UE location, and the like. After receiving the application key ID from the UE 202 with the service provision request, the ECS 208a acquires the edge configuration server specific key (K) by communicating with the AAnF 206 _ECS ). Once the edge configures the server specific key (K _ECS ) Available at the UE 202 and ECS 208a, the UE 202 and ECS 208a may configure a server specific key (K _ECS ) And other possible parameters. Alternatively, the UE 202 and ECS 208a may use edge configuration server specific keys (K _ECS ) As PSK. After deriving PSK, the ECS 208a sends a request to the UE 202 to initiate a secure connection establishment procedure. The UE 202 initiates a secure connection establishment procedure with the ECS 208a based on a request received from the UE 202. After initiating the secure connection establishment procedure, the UE 202a and ECS 208a use PSK to perform mutual authentication to establish a secure connection for accessing the edge computing service.

After the secure connection is established, the ECS 208a provides authorization credentials to the UE 202 over the established secure connection in response to the service provision request. In an example, the authorization credential may include an access token corresponding to EES 208b for which the UE 202 has access authorization.

After receiving the access token for EES 208b from ECS 208a, UE 202 uses the received access token to perform EEC registration (as specified in clause 8.4.2 in TS 23.558[2 ]) and discovery (as specified in clause 8.5 in TS 23.558[2 ]) with EES 208b to gain access to one or more EAS 208 c. After receiving access to one or more EAS 208c from EES 208b, UE 202 accesses one or more edge computing services from one or more EAS 208 c.

FIG. 2 shows blocks of edge computing system 200, but it should be understood that embodiments are not limited thereto. In other embodiments, edge computing system 200 may include a fewer or greater number of blocks. Moreover, the labels or names of the blocks are for illustration purposes only and do not limit the scope of the embodiments herein. In the edge computing system 200, one or more blocks may be combined together to perform the same or substantially similar functions.

Fig. 3 is a block diagram depicting components of a UE 202 for accessing edge computing services in accordance with an embodiment of the disclosure.

Referring to fig. 3, the ue 202 includes a controller 302, a memory 304, a communication interface 306, a mobile device (ME) 308, an EEC 310, and one or more application clients 312. The UE 202 may also include at least one of a transceiver, processing circuitry, communication ports, a display, input/output (I/O) ports, and the like (not shown).

The controller 302 may be configured to control the components 304 to 312 of the UE 202. The controller 302 includes at least one of a single processor, multiple processors, multiple homogeneous or heterogeneous cores, multiple Central Processing Units (CPUs) of different kinds, microcontrollers, dedicated media, and other accelerators.

The memory 304 may store authentication keys, authentication and authorization keys/AKMA keys (K) _AKMA ) Edge configuration server specific key (K) _ECS ) At least one of PSK, access token, etc. Examples of memory 304 may be, but are not limited to, NAND, embedded multimedia card (eMMC), secure Digital (SD) card, universal Serial Bus (USB), serial Advanced Technology Attachment (SATA), solid State Drive (SSD), and the like. Furthermore, memory 304 may include one or more computer-readable storage media. Memory 304 may include one or more non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard disks, optical disks, floppy disks, flash memory, or electrically programmable memory(EPROM) or electrically erasable programmable memory (EEPROM). Additionally, in some examples, memory 304 may be considered a non-transitory storage medium. The term "non-transitory" may indicate that the storage medium is not embodied in a carrier wave or propagated signal. However, the term "non-transitory" should not be construed to mean that the memory is not removable. In some examples, a non-transitory storage medium may store data (e.g., in Random Access Memory (RAM) or cache) that may change over time.

The communication interface 306 may be configured to enable the UE 206 to communicate with the CN 204 using interfaces supported by one or more RATs. Examples of interfaces may be, but are not limited to, at least one of a wired or wireless forward interface, a wired or wireless backhaul interface, or any structure supporting communication over a wired or wireless connection. The communication interface 306 can also be configured to enable the UE 202 to communicate with the EDGE data network 208 using various EDGE interfaces (as specified in 3gpp TS 23.558[2 ]).

The ME 308 includes a Terminal Equipment (TE) (not shown) and a Mobile Terminal (MT) 308a. The radio access protocol may operate on the MT 308a and the control functions of the MT 308a may operate on the TE. When the UE 202 wants to access edge computing services from one or more EAS 208c, the MT 308a may be configured to initiate an authentication/primary network access authentication procedure with the CN 204. Upon completion of the network access authentication procedure with the CN 204, the MT 308a generates an authentication key (K _AUSF ). MT 308a will generate an authentication key (K _AUSF ) Stored in memory 304.

EEC 310 may be configured on UE 202 by at least one of an application client 312 (i.e., edge aware application client), a user, an MNO through a 5GC process, and the like. EEC 310 may also be configured based on at least one of an HPLMN identifier derived for a non-roaming scenario, a guest public land mobile network (VPLMN) identifier derived for a roaming scenario, and the like. EEC 310 may be configured to provide support functionality to application client 312 to access edge computing services from one or more EAS 208 c. In an example, support functions may include, but are not limited to, discovering one or more EAS for application client 312, and the like.

To provide support functionality to the application client 312, the EEC 310 may establish a secure connection with the ECS 208a and EES 208 b. In order to establish a secure connection with the ECS 208a, the EEC 310 generates an authentication key (K) through the MT 308a _AUSF ) After which an AKMA key (K) is derived _AKMA ). EEC 310 is also based on AKMA key (K _AKMA ) To derive edge configuration server specific keys (K) _ECS ) AKMA application key (K) _AF )。

Configuring a server specific key (K) at the derived edge _ECS ) Thereafter, the EEC 310 sends the application key ID to the ECS 208a. In an embodiment, the EEC 310 may send the application key ID to the ECS 208a in a TLS protocol message by initiating a secure connection establishment procedure with the ECS 208a. In this case, after initiating the secure connection establishment procedure with the ECS 208a, the EEC 310 configures a server specific key (K based on the edge _ECS ) Deriving PSK or using edge configuration server specific key (K _ECS ) As PSK. After deriving the PSK, the EEC 310 enables mutual authentication between the UE 202 and the ECS 208a to be performed using the PSK to establish a secure connection for accessing the edge computing service.

In another embodiment, the EEC 310 sends the application key ID to the ECS 208a in a service provisioning request. In this case, after sending a service provision request to the ECS 208a, the EEC 310 configures a server specific key (K based on the edge _ECS ) Deriving PSK or using edge configuration server specific key (K _ECS ) As PSK. When the ECS 208a derives PSK, the EEC 310 also receives the request from the ECS 208a to initiate the secure connection establishment procedure. Upon receiving the request from the ECS 208a, the EEC 310 initiates a secure connection establishment procedure with the ECS 208a. After initiating the secure connection establishment procedure, the EEC 310 enables mutual authentication between the UE 202 and the ECS 208a to be performed using PSK to establish a secure connection for accessing the edge computing service.

In an example, the EEC 310 may configure the server-specific key (K _ECS ) And other possible parameters such as, but not limited to, FC valuesGPSI, EEC ID, ECS ID, text strings such as "PSK", freshness parameters, etc. In an embodiment, the freshness parameter is a counter value maintained by the EEC 310. In another example, the EEC 310 may use an edge configuration server specific key (K _ECS ) As PSK.

In an example, performing mutual authentication between the UE 202 and the ECS 208a involves transmitting, by the EEC 310, the derived PSK to the ECS 208a and receiving the PSK of the ECS 208a. The EEC 310 authenticates the ECS 208a based on PSK received from the ECS 208a. The PSK transmitted by the EEC 310 may be used by the ECS 208a to authenticate the EEC 310. Once the EEC 310 and ECS 208a have been successfully authenticated and authorized, a secure connection/TLS session may be established between the EEC 310/UE 202 and ECS 208a.

The EEC 310 may also be configured to initiate a service provisioning procedure with the ECS 208a after establishing a secure connection/TLS session with the ECS 208 a. In response to the initiated service provisioning procedure, the EEC 310 may receive an access token for the EES 208b from the ECS 208a if the UE 202 is authorized to access the corresponding EES 208 b.

The EEC 310 may also be configured to use the received access token to perform EEC registration and discovery with the EES 208b to discover one or more EAS 208c. The EEC 310 provides information regarding the discovered one or more EAS 208c to the application client 312 for access to the edge computing service.

After one or more EAS 208c are discovered by the EEC 310, the application client 312 may be configured to access edge calculation services from the one or more EAS 208c.

Fig. 3 shows blocks of UE 202, but it should be understood that embodiments are not limited thereto. In other embodiments, the UE 202 may include a fewer or greater number of blocks. Moreover, the labels or names of the blocks are for illustration purposes only and do not limit the scope of the embodiments herein. One or more blocks may be combined together to perform the same or substantially similar functions in the UE 202.

Fig. 4 is an example block diagram depicting components of CN 204 in accordance with an embodiment of the present disclosure.

Referring to fig. 4, the cn 204 may include, but is not limited to, at least one of EPC, 5GC network, and the like. The CN 204 includes a memory 402, a communication interface 404, and a network entity 406.

The memory 402 may store information about the UE 202, the edge data network 208, the AAnF 206, etc., authentication keys (K _AUSF ) At least one of, etc. Examples of memory 402 may be, but are not limited to, NAND, embedded multimedia card (eMMC), secure Digital (SD) card, universal Serial Bus (USB), serial Advanced Technology Attachment (SATA), solid State Drive (SSD), and the like. Memory 402 may also include one or more computer-readable storage media. Memory 402 may also include non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard disks, optical disks, floppy disks, flash memory, or forms of electrically programmable memory (EPROM) or electrically erasable programmable memory (EEPROM). Additionally, in some examples, memory 402 may be considered a non-transitory storage medium. The term "non-transitory" may indicate that the storage medium is not embodied in a carrier wave or propagated signal. However, the term "non-transitory" should not be construed to mean that the memory 402 is not removable. In some examples, memory 402 may be configured to store more information than memory. In some examples, a non-transitory storage medium may store data (e.g., in Random Access Memory (RAM) or cache) that may change over time.

The communication interface 404 may be configured to enable the CN 204 to communicate with the UE 202 through an associated BS using interfaces supported by one or more RATs. Examples of interfaces may be a wired or wireless forward interface, a wired/non-radio or wireless/radio interface, or any structure supporting communication over a wired or wireless connection. The communication interface 404 may also be configured to enable the CN 204 to communicate with the EDGE data network 208 using various EDGE interfaces.

The network entity 406 may be a core functional element/module depending on the RAT supported by the CN 204. In an example, if the CN 204 supports a 5G network, the network entity 406 may be an authentication server function (AUSF). When the UE 202 wants to access edge computing services from the edge data network 208, the network entity/AUSF 406 may be configured to provide authentication services and other security related services to the UE 202.

Upon completion of the network access authentication procedure initiated by the UE 202 with the CN 204, the network entity/AUSF 406 may be configured to generate an authentication key (K _AUSF ). In generating the authentication key K _AUSF Thereafter, the network entity/AUSF 406 may also be configured to derive an AKMA key (K _AKMA ). The network entity/AUSF 406 provides the AAnF 206 with the derived AKMA key (K _AKMA ). AKMA Key (K) _AKMA ) May be used by AAnF 206 to derive edge configuration server specific keys (K _ECS ) AKMA application key (K) _ECS )。

Fig. 4 shows blocks of CN 204, but it should be understood that embodiments are not limited thereto. In other embodiments, the CN 204 may include a fewer or greater number of blocks. Moreover, the labels or names of the blocks are for illustration purposes only and do not limit the scope of the embodiments herein. One or more blocks may be combined together to perform the same or substantially similar functions in the CN 204.

Fig. 5 is an example block diagram depicting components of the ECS 208a in accordance with an embodiment of the present disclosure.

Referring to fig. 5, the ecs 208a includes a memory 502, a communication interface 504, and a controller 506.

The memory 502 may store an authentication key, AKMA key (K) _AKMA ) Edge configuration server specific Key (KECS)/AKMA application Key (K) _ECS ) At least one of PSK, access token, etc. Examples of memory 502 may be, but are not limited to, NAND, embedded multimedia card (eMMC), secure Digital (SD) card, universal Serial Bus (USB), serial Advanced Technology Attachment (SATA), solid State Drive (SSD), and the like. Memory 502 may also include one or more computer-readable storage media. The memory 502 may also include non-volatile storage elements. Examples of such non-volatile storage elements may include magnetic hard disks, optical disks, floppy disks, flash memory, or forms of electrically programmable memory (EPROM) or electrically erasable programmable memory (EEPROM). Additionally, in some examples, memory 502 may be considered a non-transitory storage medium. The term "non-transitory" may indicate that the storage medium is not embodied in a carrier wave or propagation In the signal. However, the term "non-transitory" should not be construed to mean that the memory 502 is not removable. In some examples, memory 502 may be configured to store more information than memory. In some examples, a non-transitory storage medium may store data (e.g., in Random Access Memory (RAM) or cache) that may change over time.

The communication interface 504 may be configured to enable the ECS 208a to communicate with the UE 202, CN 204, and AAnF206 via one or more EDGE interfaces (as specified in 3gpp TS 23.558[2 ]).

The controller 506 includes at least one of a single processor, multiple processors, multiple homogeneous or heterogeneous cores, multiple Central Processing Units (CPUs) of different kinds, microcontrollers, dedicated media, and other accelerators.

When the UE 202 wants to access the edge computing service, the controller 506 may be configured to establish a secure connection/TLS session between the UE 202 and the ECS 208 a.

For establishing a secure connection, the controller 506 may receive an application key ID from the UE 202. In an embodiment, when the UE 202 initiates a secure connection establishment procedure with the ECS 208a, the controller 506 may receive the application key ID from the UE 202 in a TLS protocol message. In this case, the controller 506 acquires the edge configuration server specific key (K) from the AAnF206 using the received application key ID _ECS ) And derives PSK. After deriving the PSK, the controller 506 enables mutual authentication between the UE 202 and the ECS 208a to be performed using the PSK to establish a secure connection for accessing the edge computing service.

In another embodiment, the controller 506 may receive the application key ID in the service provision request. In this case, the controller 506 acquires the edge configuration server specific key (K) from the AAnF 206 using the received application key ID _ECS ) And derives PSK. After deriving PSK, the controller 506 sends a request to the UE 202 to initiate a secure connection establishment procedure with the ECS 208 a. When the UE 202 initiates a secure connection establishment procedure with the ECS 208a, the controller 506 enables PSK to be used to perform a secure connection between the UE 202 and the ECS 208aMutual authentication to establish a secure connection for accessing an edge computing service.

In an example, the controller 506 can configure the server-specific key (K based on the edge _ECS ) And other parameters such as, but not limited to, FC values, GPSI, EEC ID, ECS ID, text strings such as "PSK", freshness parameters, etc. In another example, the controller 506 may configure the server-specific key (K _ECS ) As PSK.

When the UE 202 initiates a service provisioning procedure with the ECS 208a, the controller 506 may be further configured to provide the UE 202 with an access token corresponding to the EES 208 b. The controller 506 provides an access token to the UE 202 only if the UE 202 is authorized to access the corresponding EES 208 b.

Fig. 5 shows blocks of the ECS 208a, but it should be understood that embodiments are not limited thereto. In other embodiments, the ECS 208a may include a fewer or greater number of blocks. Moreover, the labels or names of the blocks are for illustration purposes only and do not limit the scope of the embodiments herein. One or more blocks may be combined together to perform the same or substantially similar functions in the ECS 208 a.

The embodiments herein further explain the authentication and establishment of a secure connection between the UE 202 and the ECS 208a by considering that the UE 202 is connected to the 5gc 204 as an example, but it may be apparent to those skilled in the art that the UE 202 may be connected to any other CN 204. The 5gc 204 includes the AUSF 406.

Fig. 6 depicts an example sequence diagram in which the UE 202 and the server/ECS 208a use TLS with PSK-based authentication to ensure connectivity for accessing edge computing services, with details of application key ID/AKMA key identification carried by TLS protocol messages to establish PSK during the TLS session establishment procedure, according to an embodiment of the present disclosure.

Referring to fig. 6, at step 1, MT 308a of UE 202 performs a procedure as defined in 3gpp TS 23.502[5] to obtain 5GC network access.

At step 1A, the MT 308a initiates a network access authentication procedure (i.e., master authentication and key specified in 3gpp TS 33.501 clause 6.1Negotiation). Upon completion of the network access authentication procedure, MT 308a and AUSF 406 hold (successfully generate) key K _AUSF 。

At step 2A, EEC 310 of UE 202 derives an AKMA key as specified in 3gpp TS 33.535 and optionally other keys, such as an edge configuration server specific key (K _ECS ) Key (K) _ECS ). Edge configuration server specific key (K) _ECS ) Is an AKMA application key (K) derived as specified in 3gpp TS 33.535 _AF ). If the UE 202 has a valid AKMA application key K of the ECS 208a _ECS The EEC 310 may skip step 2A.

At steps 2B and 2C, AUSF 406 generates an AKMA key (K _AKMA ) And provided to AAnF 206 as specified in 3gpp TS 33.535.

If there is a valid TLS session available with the ECS 208a, the UE 202 skips steps 2D through 2H.

If there is no valid TLS session available with the ECS 208a, steps 2D through 2H may be performed to establish a secure TLS session between the UE 202 and the ECS 208a using PSK-based authentication. The PSK is established between the ECS 208a and the EEC 310 of the UE 202 using an AKMA procedure according to PSK-based authentication.

At step 2D, the UE 202 initiates TLS session establishment with the ECS 208a by enabling the EEC 310 to send a "client hello message" of the TLS protocol to the ECS 208 a. With respect to establishing PSK as part of the TLS session establishment procedure, the "client hello message" includes the AKMA ID.

In an embodiment, EEC details (e.g., EEC ID, UE ID, AKMA key ID, etc.) are taken as a client hello extension bearer in a "client hello message". In another embodiment, EEC details (e.g., EEC ID, UE ID, AKMA key ID, etc.) are carried in a vendor ID payload within a "client hello message".

After receiving the "client hello message" from the UE 202, at step 2F, the ECS 208a contacts (using the AKMA key ID) the AAnF 206 to obtain the corresponding AKMA application key (K) of the UE 202 _ECS /K _AF ). Based on the AKMA Key ID, in stepAt 2G, AAnF 206 provides the AKMA application key (K) to ECS 208a in a key response _ECS ) And optionally providing a corresponding (K _ECS /K _AF ) And (5) service life.

EEC 310 and ECS 208a derive PSK based on the AKMA application keys derived/received at step 2A and step 2G, respectively. The EEC 310 and ECS 208a perform PSK-based authentication to establish a secure TLS session between each other.

In an embodiment, PSK-based authentication may be used for mutual authentication between the EEC 310 and the ECS 208 a. In another embodiment, a server certificate may be used for authentication of the ECS 208a and PSK may be used for authentication of the EEC 310.

In an embodiment, the key K may be applied from AKMA at the EEC 310 and ECS 208a _ECS /K _AF PSK is generated as follows:

PSK＝KDF(K _ECS /K _AF other possible parameters

Other possible parameters include, among others, at least one of FC value, any text string such as "PSK", freshness parameter, etc. The derivation of PSK is described in detail in connection with fig. 9, where PSK may be represented as K _ECS-PSK 。

In an embodiment, AKMA application key K _ECS /K _AF Can be used as PSK. In an embodiment, PSK is identified with at least one of: k (K) _ECS /K _AF 128 least significant bits of (1) and K _ECS /K _AF Is the most significant 128 bits of (3).

In an embodiment, in steps 2D to 2H, an internet key exchange version two (IKEv 2) procedure may be performed instead of TLS. IKEv2 PSK-based authentication or Extensible Authentication Protocol (EAP) -PSK during IKEv2 authentication may be performed to establish IP security (IPSec) between EEC 310 and ECS 208 a. Dynamically generated PSK (K) _ECS /K _AF ) May be used in IKEv2 process. In order for the ECS 208a to obtain PSK, the AKMA key ID is included in the IKEv2 message. In an embodiment, the IKEv2 message includes identification data that is a value indicated by the identification type. The length of the identification data may be calculated from the IP payload header as specified in RFC 7815. The AKMA key ID may be included in the ID payload header. In an embodiment, the identification data (which is a variable length field) may be considered as a concatenation of EEC ID/UE ID and AKMA key ID.

In an embodiment, EEC details (such as EEC ID, UE ID, AKMA key ID, etc.) may be taken as IKEv2 extension bearers in IKEv2 messages. In another embodiment, EEC details (such as EEC ID, UE ID, AKMA key ID, etc.) may be carried in a vendor ID payload within the IKEv2 message.

In an embodiment, the AKMA key ID may be included in the IKE AUTH request message. The AKMA key ID may be accommodated in the vendor ID field or no field of the IKE AUTH request message.

In an embodiment, in steps 2D to 2H, a secondary authentication as defined in 3gpp TS 33.501 may be performed instead of TLS. EAP-PSK authentication may be performed between the EEC 310 and the ECS 208 a. PSK (K) dynamically generated at steps 2A and 2G _ECS /K _AF ) May be used for EAP-PSK authentication. In order for the ECS 208a to obtain PSK, the AKMA key ID is included in the EAP request message.

In steps 2I through 2J, the EEC 310 of the UE 202/UE 202 initiates a service provisioning procedure with the ECS 208a (as specified in clause 8.3 in 3gpp TS 23.558[2 ]). If the UE 202 is authorized to access the EES 208b, the ECS 208a generates and provides an access token to the EEC 310 of the UE 202. The exchange of messages (e.g., initial provisioning request and response messages) between the EEC 310 and the ECS 208a may be protected (at least one of confidentiality, integrity, and replay protection) by the established TLS session.

In an embodiment, if IKEv2 is used instead of TLS to establish IPSec in steps 2D through 2H, IPSec may be used to secure the exchange of messages between EEC 310 and ECS 208 a. In an embodiment, if the secondary authentication is performed in steps 2D to 2H instead of TLS, the message exchange between the EEC 310 and the ECS 208a may be protected using application layer protection. For example, the application layer protection may be JSON Web encryption (JWE, as specified in RFC 7516).

At step 3, EEC 310 performs EEC registration (as specified in clause 8.4.2 in 3GPP TS 23.558[2 ]) and discovery (as specified in clause 8.5 in 3GPP TS 23.558[2 ]) with EES 208b. At step 3A, the UE 202 and EES 208b use the EES server certificate to establish a secure TLS connection, which has been claimed and used to provide the access token to the actual EES 208b, before sending the access token to the EES 208b.

At steps 3B through 3E, the EEC 310 initiates an EEC registration process with the EES 208B, including the access token obtained from the ECS 208a at step 2J. The authorization check for the EEC registration request may be performed by verifying an access token issued by the ECS 208a to the EEC 310 of the UE 202. The EES 208b obtains access token validation services from the ECS 208 a.

In alternative embodiments, steps 3B through 3E may be skipped, and EEC 310 may perform steps 3F through 3I after step 3A.

At steps 3F through 3I, when the EEC 210 initiates an EAS discovery process with the EES 208b by including the same access token obtained from the ECS 208a at step 2J. If the access token is valid, the EES 208b again obtains an access verification service from the ECS 208 a. In an embodiment, the EES 208b may also request and obtain an access token from the ECS 208a for the UE 202 to grant access to the EAS 208 c. In response to the request, the EES 208b includes an EAS access grant token and related information such as validity time to give the EEC 310 of the UE 202.

If (in step 2J) the access token obtained from the ECS is not valid (due to time constraints), the EEC 310 requests a new access token from the ECS 208a by sending an access token request message to the ECS 208 a. The access token request message includes parameters necessary to identify the security context of the EEC 310 and parameters for verifying the authenticity of the EEC 310/UE 202. After verifying the authenticity of the EEC 310, the ECS 208a provides a new access token to the EEC 310 in response to the access token request message.

In an embodiment, similar to the steps (2D to 2I) of establishing a secure connection between the EEC 310 and the ECS 208a, the EEC 310 and the EES 208b may use TLS-PK authentication to establish a secure interface (e.g., EDGE-1 interface) (where the AKMA key K may be used by the AAnF 206) _AKMA Rather than by the ECS 20 as depicted in fig. 98a uses AKMA application key K _ECS To derive the key K _EES ). PSK may be based on AKMA procedure or alternative PSK (K _EES-PSK ) To be established.

At steps 4A through 4F, the application client 312 of the UE 202 obtains edge computing services from the EAS 208c by generating an access token obtained from the EES 208b via the secure TLS connection. In step 3I, the application client 312 also obtains a security policy and associated access token from the EES 208 b. Before sending the access token to the EAS 208c, the application client 312 and the EAS 208c use the EAS server credentials to establish a secure channel that has been claimed and used to provide the access token to the genuine EAS 208c. The EAS 208c obtains an access token verification service from the ECS 208a via the EES 208b to verify the access token received from the application client 312 of the UE 202. After successful verification of the access token, the application client 312 obtains edge computation services from the EAS 208c.

Fig. 7 depicts an example sequence diagram in which the UE 202 and ECS 208a use TLS with PSK-based authentication to ensure a connection for accessing edge computing services, where details of the AKMA key ID are carried by the service provisioning request to establish PSK prior to the TLS session establishment procedure, according to an embodiment of the present disclosure.

Referring to fig. 7, at step 1, MT 308a of UE 202 performs a procedure as defined in 3gpp TS 23.502[5] to obtain 5GC network access.

At step 1A, the MT 308a initiates a network access authentication procedure (i.e., master authentication and key agreement specified in 3gpp TS 33.501 clause 6.1). Upon completion of the network access authentication procedure, MT 308a and AUSF 406 hold (successfully generate) key K _AUSF 。

At step 2A, EEC 310 of UE 202 derives an AKMA key as specified in 3gpp TS 33.535 and optionally other keys, such as a key (K _ECS ). Key (K) _ECS ) Is an AKMA application key (K) derived as specified in 3gpp TS 33.535 _AF ). If the UE 202 has a valid K for the ECS 208a _ECS The EEC 310 may skip step 2A.

If there is a valid TLS session available with the ECS 208a, the UE 202 skips steps 2D through 2I.

If there is no valid TLS session available with the ECS 208a, steps 2D through 2I may be performed to establish a secure TLS session between the UE 202 and the ECS 208a using PSK-based authentication. Following PSK-based authentication, PSK is established between ECS 208a and EEC 310 of UE 202 using an AKMA procedure.

At steps 2D through 2I, with respect to establishing PSK prior to initiating the TLS session establishment procedure, a service provisioning request (also referred to as an edge computing service provisioning procedure) carrying an AKMA key ID causes ECS 208a to obtain PSK by contacting AAnF 206 with information in the AKMA key ID. Once PSK is obtained at EEC 310 and ECS 208a (PSK may be obtained from the AKMA application key (K) _ECS /K _AF ) Generating or AKMA application key (K _ECS /K _AF ) May be used as PSK), a TLS session/connection establishment procedure may be initiated by the EEC 310 to establish a TLS session with the ECS 208a using PSK-based authentication. PSK-based authentication may be used for mutual authentication between the EEC 310 and the ECS 208a or for authentication of the EEC 310.

The EEC 310 initiates a service provisioning procedure with the ECS 208a (as specified in clause 8.3 in 3gpp TS 23.558). The service providing process may include at least one of a request-response process, a subscription-notification process (including a subscription update process and an unsubscribe process). In the examples herein, the EEC 310 initiates the service provision procedure with the ECS 208a by sending a service provision request to the ECS 208 a. The service provisioning request/request message from the EEC 310 includes the AKMA key ID.

Fig. 8A and 8B depict service provisioning requests and service provisioning responses, respectively, according to various embodiments of the present disclosure.

Referring to fig. 8A, a service provision request is depicted in an example table. The AKMA procedure may be used to determine that authentication and secure connections are required to be established and PSK is to be established. ECS 208a contacts AAnF 206 (using AKMA key ID) to obtain the correspondingAKMA application Key (K) _ECS /K _AF ). Based on the AKMA key ID, AAnF 206 provides an AKMA application key (K to ECS 208a _ECS /K _AF ). After obtaining the AKMA application key (K) from AAnF 206 _ECS /K _AF ) Thereafter, the ECS 208a instructs the EEC310 to initiate the TLS connection setup procedure by sending a service providing response to the EEC 310.

Referring to fig. 8B, a service provisioning response is depicted. Upon receiving the indication from the ECS 208a, the EEC310 initiates the TLS connection establishment procedure using PSK-based authentication. The dynamically generated PSK (at steps 2A and 2G) may be used to perform PSK-based authentication to establish a TLS connection between the EEC310 and the ECS 208 a.

At steps 2l to 2J, the EEC310 of the UE 202 initiates a service provisioning procedure with the ECS 208a (as specified in clause 8.3 in 3gpp TS 23.558[2 ]). If the UE 202 is authorized to access the EES 208b, the ECS 208a generates and provides an access token to the EEC310 of the UE 202. The exchange of messages (e.g., initial provisioning request and response messages) between the EEC310 and the ECS 208a may be protected (at least one of confidentiality, integrity, and replay protection) by the established TLS session.

At step 3, EEC 310 performs EEC registration (as specified in clause 8.4.2 in 3GPP TS 23.558[2 ]) and discovery (as specified in clause 8.5 in 3GPP TS 23.558[2 ]) with EES 208b. At step 3A, the UE 202 and EES 208b use the EES server certificate to establish a secure TLS connection that has been required to be secured and provide the access token to the actual EES 208b before sending the access token to the EES 208b.

At steps 3F through 3I, when the EEC 210 initiates an EAS registration process with the EES 208b by including the same access token obtained from the ECS 208a at step 2J. If the access token is valid, the EES 208b again obtains an access verification service from the ECS 208 a. In an embodiment, the EES 208b may also request and obtain an access token from the ECS 208a for the UE 202 to grant access to the EAS 208 c. In response to the request, the EES 208b includes an EAS access grant token and related information such as validity time to give the EEC 310 of the UE 202.

If the access token obtained from the ECS is not valid (in step 2J), the EEC 310 requests a new access token from the ECS 208a by sending an access token request message to the ECS 208 a. The access token request message includes parameters necessary to identify the security context of the EEC 310 and parameters for verifying the authenticity of the EEC 310/UE 202. After verifying the authenticity of the EEC 310, the ECS 208a provides a new access token to the EEC 310 in response to the access token request message.

In an embodiment, similar to the steps (2D to 2I) of establishing a secure connection between the EEC 310 and the ECS 208a, the EEC 310 and the EES 208a may use TLS-PK authentication to establish a secure interface (e.g., EDGE-1 interface) (where the AKMA key K may be used by the AAnF 206) _AKMA Rather than using the AKMA application key K by the ECS 208a as depicted in fig. 9 _ECS To derive the key K _EES ). PSK may be based on AKMA procedure or alternative PSK (K _EES-PSK ) To be established.

At steps 4A through 4F, the application client 312 of the UE 202 obtains edge computing services from the EAS 208c by generating an access token obtained from the EES 208b via the secure TLS connection/session. In step 3I, the application client 312 also obtains a security policy and associated access token from the EES 208 b. Before sending the access token to the EAS 208c, the application client 312 and EAS 208c use the EAS server credentials to establish a secure channel that has been required to be secured and provide the access token to the genuine EAS 208c. The EAS 208c obtains an access token verification service from the ECS 208a via the EES 208b to verify the access token received from the application client 312 of the UE 202. After successful verification of the access token, the application client 312 obtains edge computation services from the EAS 208c.

In an embodiment, if the ECS 208a wants to send a service offer notification and there is no active TLS session, the ECS 208a sends an indication to the EEC 310 that authentication is required or triggers a re-authentication procedure. Upon receiving an indication from the ECS 208a that authentication is required or triggering a re-authentication procedure by the ECS 208a, the EEC 310 initiates a secure connection establishment procedure (TLS/IKEv 2/Protocol Data Unit (PDU) session establishment procedure, such that the CN 204 initiates a secondary authentication procedure) or responds to the re-authentication procedure.

In an embodiment, symmetric encryption may be used between the publisher (e.g., EEC 208a/EES 208b/EAS 208c/AAnF 206) and EEC 310 of the UE 202/UE 202 to protect the access token regardless of the security (e.g., TLS, IPSec, etc.) of the EDGE interface (e.g., EDGE-1 interface, EDGE-4 interface, etc.). The use of symmetric encryption to protect access tokens is described in detail in connection with fig. 10.

Fig. 9 is a diagram depicting an AKMA-based application key (K) in accordance with an embodiment of the present disclosure _AKMA ) To generate an example plot of PSK.

Referring to fig. 9, in an embodiment, the key K may be applied from AKMA at EEC 310 and ECS 208a _ECS /K _AF PSK is generated as follows:

PSK＝KDF(K _ECS /K _AF other possible parameters

Other possible parameters include, among others, at least one of FC value, any string text such as "PSK", freshness parameter, etc. Other possible ways of deriving PSK are depicted in fig. 9.

Referring to fig. 10, input parameters may be provided to an encryption module for use in generating a keystream block. The input parameters may include at least one of a 128-bit cryptographic KEY named KEY, a 32-bit COUNT, a 5-bit BEARER identification BEARER, a 1-bit transmission DIRECTION (i.e., DIRECTION), a required KEY stream LENGTH (i.e., LENGTH), etc. The input parameters may be equal to the encryption key, e.g., down toOne less: k (K) _ECSenc 、K _EESenc . In an example, all BEARER bits must be set to 1, the direction bit must be set to 1, and COUNT must be built to count=0x00|counter _EEC . The keystream block and the access token may be provided to a counter to provide a ciphertext block (i.e., an encrypted access token). Similarly, at the UE 202/EEC 310, the keystream block and ciphertext block may be provided to a counter to provide an access token by decrypting the ciphertext.

EEC 310 and ECS 208a of UE 202 will count the 16-bit Counter _EEC And key K _ECS And (5) associating. When deriving an AKMA application key (K _ECS ) At this time, EEC 310 will Counter _EEC Initialized to 0x00 x01.EEC 310 and ECS 208a are AKMA application keys (K _ECS ) Is to maintain a CounterEEC. EEC 310/ECS 208a will count after first use _EEC Set to 0x00, 0x02 and let Counter after each additional use _EEC Monotonically increasing. For each use, counter _EEC May be incremented by EEC 310/ECS 208 a. EEC 310 and ECS 208a exchange Counter between each other _EEC For generating MAC-I or encryption) and the protected message. EEC 310 or ECS 208a accepts more than stored Counter _EEC Counter of values _EEC Values. The ECS 208a stores the received Counter _EEC 。

Embodiments herein also disclose a new procedure for establishing PSK to protect EDGE interfaces (e.g., EDGE-1 interface and/or EDGE-4 interface). The EEC 310 initiates the initial security setup procedure by sending an initial security setup request message to the ECS 208a/EES 208b (instead of step 2D in fig. 7). The initial security setup request message includes at least one of an AKMA key ID, a UE ID, an EEC ID, etc.

After receiving the initial security setup request message, if a valid PSK is not available to the ECS 208a/EES 208b for the UE 202, the ECS 208a/EES 208b may perform similar steps 2E through 2G as depicted in fig. 7. Steps 2E through 2G as depicted in fig. 7 may be performed by the ECS 208a/EES 208b to obtain a valid key or to determine a successful generation of a valid key and PSK. After obtaining the valid key or determining successful generation of the valid key and PSK, the ECS 208a/EES 208b sends an initial security setup response message to the EEC 310. The initial security setup response message includes the status of success and possibly other parameters (instead of step 2H depicted in fig. 7). After receiving a successful status from the ECS 208a/EES 208b, the EEC 310 performs the remaining steps from step 2I detailed in FIG. 7. In an embodiment, the initial security setup response message includes an erroneous state if the generation of PSK is unsuccessful. In this case, the EEC 310 may terminate a session for accessing the edge computing service.

Embodiments herein disclose enabling authentication of a UE prior to actual communication between the UE and an ECS by providing required credentials and establishing a secure session/connection between the UE and the ECS for accessing edge computing services based on successful authentication and authorization of the UE and the ECS. Embodiments herein use AKMA network services for authentication and establishment of secure connections between a UE and an ECS. AKMA network services are authentication and key agreement services in which access to an Application Function (AF)/server (e.g., ECS) and establishment of a secure connection between a UE and an AF is based on network access security credentials established during primary authentication of the UE.

The embodiments disclosed herein may be implemented by at least one software program running on at least one hardware device and executing network management functions to control elements. The elements shown in fig. 2, 3, 4, and 5 may be at least one of hardware devices or a combination of hardware devices and software modules.

Embodiments disclosed herein describe methods and systems for authentication of edge computing services and establishment of secure connections. It should therefore be understood that the scope of protection extends to such programs, and that such computer readable storage means comprise, in addition to the computer readable means having the message therein, program code means for carrying out one or more operations of the method when the program is run on a server or mobile device or any suitable programmable device. In a preferred embodiment, the method is implemented by a software program written in, for example, the very high speed integrated circuit hardware description language (VHDL) or another programming language, or by one or more VHDL or several software modules executing on at least one hardware device. The hardware device may be any kind of portable device that can be programmed. The apparatus may further comprise means which may be: for example, a hardware device (e.g., an Application Specific Integrated Circuit (ASIC)), or a combination of hardware and software devices (e.g., an ASIC and a Field Programmable Gate Array (FPGA)), or at least one microprocessor and at least one memory within which software modules are located. The method embodiments described herein may be implemented in part in hardware and in part in software. Alternatively, the present disclosure may be implemented on different hardware devices, e.g., using multiple CPUs.

While the present disclosure has been shown and described with reference to various embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present disclosure as defined by the appended claims and their equivalents.

Claims

1. A method for establishing a secure connection for accessing an edge computing service, the method comprising:

performing, by the user equipment UE, authentication with the core network CN using the subscription credentials;

after performing the authentication with the CN, deriving, by the UE, an edge configuration server specific key K for at least one edge computing service _ECS The method comprises the steps of carrying out a first treatment on the surface of the And

by the UE by based on the derived K _ECS A pre-shared key PSK is established to initiate a secure connection establishment procedure with a server to establish the secure connection for accessing the at least one edge computing service.

2. The method of claim 1, wherein the establishing of the secure connection comprises establishing a secure channel between the UE and the server for accessing the at least one edge computing service.

3. The method of claim 1, wherein the UE comprises an edge-enabled client EEC and the server comprises an edge configuration server ECS, and

Wherein the authentication performed with the CN is a primary network access procedure.

4. The method of claim 1, wherein the secure connection establishment procedure comprises a transport layer secure TLS session establishment procedure and the secure connection comprises a secure TLS session.

5. The method of claim 1, wherein initiating, by the UE, the secure connection establishment procedure with the server comprises:

transmitting, by the UE, an application key identifier, ID, to the server in a first message or a second message; and

initiating by the UE the secure connection establishment procedure with the server to establish the secure connection based on the first message or the second message for sending the application key ID to the server,

wherein the application key ID is an application authentication and key management AKMA key ID used for identifying an application security context in an application anchor function to derive the K _ECS And (2) and

wherein the first message is a TLS protocol message carrying the application key ID and the second message is a service provision request.

6. The method of claim 5, wherein if the application key ID is sent from the UE to the server in the first message, initiating the secure connection establishment procedure to establish the secure connection comprises:

Initiating, by the UE, the secure connection establishment procedure in parallel with sending the application key ID to the server in the first message;

initiating the secure connection establishmentAfter the procedure, based on the K, by the UE and the server _ECS To derive the PSK or to use the K _ECS As the PSK; and

mutual authentication is performed by the UE and the server with respect to each other using the PSK to establish the secure connection for the at least one edge computing service.

7. The method of claim 5, wherein if the application key ID is sent from the UE to the server in the second message, initiating the secure connection establishment procedure to establish the secure connection comprises:

after sending the application key ID from the UE to the server in the second message, based on the K by the UE and the server _ECS To derive the PSK or to use the K _ECS As the PSK;

transmitting, by the server, a request to the UE to initiate the secure connection establishment procedure after deriving the PSK;

initiating, by the UE, the secure connection establishment procedure based on the request received from the server;

Performing, by the UE and the server, mutual authentication with each other using the PSK to establish the secure connection for the at least one edge computing service; and

providing, by the server, authorization credentials to the UE in response to the second message over the established secure connection.

8. The method of claim 6, wherein deriving, by the server, the PSK comprises:

providing, by the server, a key request including the application key ID received from the UE to the application anchor function, wherein the application anchor function derives the K for the received application key ID _ECS ；

Anchor functionality from the application in a key response by the serverReceiving the K _ECS The method comprises the steps of carrying out a first treatment on the surface of the And

based on the received K by the server _ECS To derive the PSK or to use the K _ECS As PSK

Wherein the application anchor function is an AKMA anchor function AAnF.

9. The method of claim 6, wherein the K is based on by the UE and the server _ECS Deriving the PSK includes:

configuring a server specific key K according to the edge _ECS And a key derivation function of parameters including at least one of function code FC value, general public subscription identifier GPSI, EEC ID, ECS ID, text string such as "PSK" or freshness parameter, to derive the PSK

Wherein the freshness parameter is a counter value maintained by an EEC of the UE.

10. An edge computing system, comprising:

a server; and

a user equipment, UE, coupled to the server and configured to:

authentication with the core network CN is performed using the subscription credentials,

deriving an edge configuration server specific key K for at least one edge computing service after performing said authentication with said CN _ECS And (b)

By being based on derived K _ECS A pre-shared key PSK is established to initiate a secure connection establishment procedure with the server to establish a secure connection for accessing the at least one edge computing service.

11. The edge computing system of claim 10, wherein the UE is configured to:

transmitting an application key identifier ID to the server in the first message or the second message; and

initiating the secure connection establishment procedure with the server to establish the secure connection based on the first message or the second message for sending the application key ID to the server.

12. The edge computing system of claim 11, wherein if the application key ID is sent from the UE to the server in the first message, the UE is configured to:

Initiating the secure connection establishment procedure in parallel with sending the application key ID to the server in the first message, an

Wherein the UE and the server are configured to:

k-based after initiating the secure connection establishment procedure _ECS To derive the PSK or to use the K _ECS As the PSK, an

Mutual authentication between each other is performed using the PSK to establish the secure connection for the at least one edge computing service.

13. The edge computing system of claim 11, wherein if the application key ID is sent from the UE to the server in the second message, the UE and the server are configured to:

based on the K after sending the application key ID from the UE to the server in the second message _ECS To derive the PSK or to use the K _ECS As the PSK;

wherein the server is configured to:

a request is sent to the UE to initiate the secure connection establishment procedure after deriving the PSK,

wherein the UE is configured to:

initiating the secure connection establishment procedure based on the request received from the server, and

Wherein the UE and the server are configured to:

performing mutual authentication with each other using the PSK to establish the secure connection for the at least one edge computing service, and

providing authorization credentials to the UE in response to the second message over the established secure connection.

14. A user equipment, UE, in an edge computing system, comprising:

an application client; and

an edge-enabled client EEC coupled to the application client, the EEC configured to:

deriving an edge configuration server specific key K for at least one edge computing service after performing said authentication with said CN _ECS ，

The application key identifier ID is sent to the server in the first message or in the second message,

initiating a secure connection establishment procedure with the server and computing a service for the at least one edge based on the first message or the second message for sending the application key ID, using the K _ECS Deriving a pre-shared key PSK or using said K _ECS As the PSK, an

Mutual authentication between the UE and the server is enabled to be performed using the PSK to establish a secure connection for the at least one edge computing service.

15. A server in an edge computing system, comprising:

a memory; and

a controller coupled to the memory, the controller configured to:

an application key identifier (key ID) is received from the user equipment UE for at least one edge computing service,

acquiring edge configuration server specific from application anchor function for said received application key IDKey K _ECS ，

K based on the acquisition _ECS Deriving a pre-shared key PSK or using said K _ECS As the PSK, an